10 Fraud and Abuse Enforcement Trends You Can't Afford to Ignore in 2013

To paraphrase a famous quote, "Those who do not learn from history are doomed to repeat it," and providers who ignore the significance of the federal government's healthcare fraud enforcements efforts in 2012 do so at their own peril. As expected, 2012 saw an increase in the number of criminal, civil and administrative enforcement cases, fueled by additional funding and enforcement tools provided by the Affordable Care Act (ACA) and other regulatory overhauls that are fundamentally reshaping the healthcare industry. But 2012 also included unexpected and unprecedented developments that could serve as important indicators of what's to come in 2013. Using lessons from 2012, we have compiled a list of the ten fraud and abuse enforcement trends that providers simply cannot afford to ignore in 2013:

In 2012, large pharmaceutical companies frequently were targeted in enforcement actions. Many of the pharmaceutical industry's biggest players, including Abbott, GlaxoSmithKline (GSK) and Pfizer, settled allegations of off-label promotion and improper sales conduct by paying millions and, in some cases, billions of dollars to the federal government. However, now that most of these large pharmaceutical companies have resolved their fraud and abuse liability, the federal government appears to be shifting its enforcement focus to hospitals. The year 2012 saw a general increase in the number of settlements involving hospitals, with many settlements focusing on allegations that the hospitals were admitting patients for the performance of services, such as kyphoplasty services, that should have been performed on an outpatient basis. These settlements involved some large and well-known hospital systems and resulted in substantial recoveries for the federal government. Hospitals can expect more of this enforcement activity in 2013.

When it comes to HIPAA/HITECH enforcement, the gloves are off.

The HHS OCR published an unprecedented number of settlements stemming from breaches of unsecured electronic health information under HIPAA/HITECH in 2012. In doing so, OCR sent a strong message to the healthcare industry: the time for education is over -- the time for enforcement is now. For example, the OCR published the first ever settlement agreement stemming from a breach affecting less than 500 individuals in 2013, further demonstrating its zero tolerance approach towards HIPAA/HITECH violations. In addition, the long-awaited HIPAA Omnibus Final Rule finally has been released, increasing the penalties noncompliant providers could face. In light of the Final Rule, we can expect record-breaking levels of HIPAA/HITECH enforcement activity to continue in 2013.

More individuals, including C-suite executives, are being held personally accountable.

The federal government has demonstrated a willingness to supplement the deterrent effect of monetary penalties against noncompliant corporations by holding individuals, including corporate officers and executives, personally accountable for the actions of their corporation. This strategy was readily apparent in Friedman v. Sebelius (D.C. Cir., No. 11-5028, July 27, 2012). In Friedman, Purdue Frederick Company's president, executive vice president, chief legal officer and vice president of medical affairs each pleaded guilty to misdemeanor misbranding charges under the Responsible Corporate Officer (RCO) doctrine in connection with fraudulent marketing practices. Under the RCO, the government did not need to prove that the executives intended to violate the law -- just that they failed to prevent violations occurring within the company.

But the federal government's efforts to hold these individual's accountable did not stop with the criminal prosecution. The HHS OIG also moved to exclude the Purdue executives from participation in federal healthcare programs for a period of 20 years. While the length of these exclusions was eventually reduced, Friedman sent a clear message that fraud and abuse will be addressed at the individual as well as the corporate level.

Two other 2012 cases further demonstrated this approach. In its plea agreements with GSK and Abbott Pharmaceuticals, the DOJ required the president of GSK's North American Pharma Division and Abbott's CEO to personally certify, under penalty of perjury, that their respective companies had satisfied the government's compliance requirements under the agreement. Such Sarbanes-Oxley-type certification requirements underscore the government's focus on deterring fraud and abuse by holding individuals, including corporate officers and executives, personally accountable. As 2013 promises to bring more of the same, C-suite executives should be aware that failing to be actively involved in their organization's compliance efforts could result in personal liability.

In addition to revealing the federal government's intention to hold corporate officers and executives personally accountable, Friedman also may have affected the strategy by which individuals charged with criminal healthcare fraud offenses choose to resolve their case. Recall that in Friedman, the Purdue executives pleaded guilty in a criminal case to a misdemeanor charge of off-label promotion of drugs. This charge did not require any proof or admission by the defendants that they had engaged in fraudulent or intentional misconduct. Nonetheless, the OIG exercised its permissive exclusion authority against the executives on the basis that a conviction for misbranding of a drug constituted a misdemeanor "relating to fraud" under 42 U.S.C. § 1320a-7(b). In upholding the exclusion, the D.C. Circuit Court of Appeals reasoned that the exclusion statute was intended to apply broadly to any conviction that has a "factual connection" to fraudulent conduct, even if the offense charged does not require proof of fraud. In light of Friedman, individuals should consider the consequences of pleading guilty to misdemeanor charges in an effort to resolve a case that could include felony charges, as doing so could result in exclusion if the OIG finds that the misdemeanor has a factual connection to fraudulent conduct.

Plea agreements may be used more frequently as a compliance tool.

The DOJ has demonstrated that it was not opposed to placing offending companies under its own compliance supervision via a plea agreement, which could include more severe consequences for noncompliance than those typically found in a corporate integrity agreement. The GSK and Abbott plea agreements each included numerous compliance mandates that, if violated, could unravel the plea agreement and result in new criminal charges being filed, in addition to significant monetary sanctions. These plea agreements, as discussed above, also imposed certification obligations, under penalty of perjury, on each company's corporate executives. While these plea agreements do not necessarily indicate a formal shift in the DOJ's healthcare fraud prosecution policies, organizations should be aware of the DOJ's inclination to use plea agreements as an additional compliance tool.

On September 24, 2012, HHS and the DOJ sent a letter to the country's leading hospital associations discussing their concern that electronic health records (EHRs) were being used "to game the system" in furtherance of fraud and abuse in the nation's healthcare programs. The letter did not include any guidance to providers, but it did indicate that "appropriate steps" would be taken to combat fraud and abuse related to EHRs. The letter indicated that action could include administrative payment suspensions and/or criminal prosecutions.

Employment of excluded individuals will continue to be an enforcement priority.

Of all the actions in which OIG has assessed CMPs against a provider, either based on the provider's self-disclosure or another source, 57 percent of the CMPs were imposed for employing excluded individuals. A long-standing concern by the federal government, the employment of excluded individuals will remain a major enforcement priority in 2013 that healthcare providers must address by implementing effective screening processes.

More regulations are on the way.

In addition to the HIPAA Omnibus Final Rule, several other rules and regulations, many of which are required under the ACA, have been published or are slated for publication in 2013. For example, the recently issued Physician Payment Sunshine Act Final Rule will require mandatory disclosure of payments between manufacturers and physicians. Additionally, rules regarding mandatory compliance programs and overpayment refunds also are expected in 2013. These rulemakings could have a dramatic impact on the healthcare industry, and we will continue to monitor these issues.

Healthcare fraud and abuse enforcement is big business, involving big dollars, and will only continue to expand.

In a recent speech, HHS Inspector General Daniel Levinson opined that 20-30 percent of all healthcare spending was waste and abuse. Pursuant to this position, in 2012 the federal government continued to aggressively pursue recovery of these funds by securing substantial settlement payments, including multiple billion dollar settlement payments, from noncompliant providers. States also are getting in on the act. For example, the Texas attorney general's office recently reported a new state record of $1 billion in Medicaid fraud recoveries over the last ten years; $400 million of which was returned to the state's coffers. Because fraud and abuse enforcement and recovery efforts tend to be well received on both sides of the political aisle, expect continued expansion of fraud and abuse enforcement activity by federal and state government in 2013 and beyond.

Providers should think outside the box when developing and/or improving their compliance programs.

While BakerHostetler has had much success in defending against the enforcement activity described above, the first step in mitigating or avoiding enforcement is an organization's commitment to compliance with federal and state healthcare laws and regulations, including the anti-kickback statute, Stark and physician self-referral laws, billing compliance and HIPAA and privacy breach regulations, among other risk areas. BakerHostetler routinely designs and assists healthcare providers with the implementation of corporate compliance programs, which memorialize an organization's commitment to compliance and allow for early detection of possible fraud and abuse issues.

Latest Posts

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

- hide

Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.